Dell Data Security Endpoint Security Suite Pro Basic Installation Guide v1.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2017 Dell Inc. All rights reserved.Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 Introduction....................................................................................................................................................5 Before You Begin................................................................................................................................................................5 Using This Guide.................................................................................................................................................
Uninstall SED and Advanced Authentication Clients...................................................................................................25 Process........................................................................................................................................................................25 Deactivate the PBA...................................................................................................................................................
1 Introduction This guide details how to install and configure the application using the Endpoint Security Suite Pro master installer. This guide gives basic installation assistance. See the Advanced Installation Guide if you need information about installing the child installers, Security Management Server/Security Management Server Virtual configuration, or information beyond basic assistance with the Endpoint Security Suite Pro master installer.
2 Thoroughly read the Requirements chapter of this document. 3 Deploy clients to end users. Using This Guide Use this guide in the following order. • See Requirements for client prerequisites. • Select one of the following: • Install Interactively Using the Master Installer or • Install by Command Line Using the Master Installer Contact Dell ProSupport Call 877-459-7304, extension 4310039 for 24x7 phone support for your Dell product.
2 Requirements All Clients • IT best practices should be followed during deployment. This includes, but is not limited to, controlled test environments for initial tests, and staggered deployments to users. • The user account performing the installation/upgrade/uninstallation must be a local or domain administrator user, which can be temporarily assigned by a deployment tool such as Microsoft SMS or Dell KACE. A non-administrator user that has elevated privileges is not supported.
All Clients - Localization • The Encryption, Threat Protection, and BitLocker Manager clients are Multilingual User Interface (MUI) compliant and are localized in the following languages. Language Support • EN - English • JA - Japanese • ES - Spanish • KO - Korean • FR - French • PT-BR - Portuguese, Brazilian • IT - Italian • PT-PT - Portuguese, Portugal (Iberian) • DE - German Encryption Client • The client computer must have network connectivity to activate.
Windows Operating Systems (32- and 64-bit) • • • • Windows 8.1 Update 0-1: Enterprise Edition, Pro Edition Windows Embedded 8.1 Industry Enterprise (hardware encryption is not supported) Windows 10: Education, Enterprise, Pro through Creators Update (Redstone 2) VMware Workstation 5.5 and higher NOTE: When using UEFI mode, the Secure Hibernation policy is not supported.
Mac Operating Systems Supported to Access Encryption External Media-Protected Media (64-bit kernels) • • • Mac OS X Yosemite 10.10.5 Mac OS X El Capitan 10.11.6 macOS Sierra 10.12.5 and 10.12.6 Threat Protection Client • The Threat Protection clients cannot be installed without the Encryption client being detected on the computer. Installation will fail if attempted. • To successfully install Threat Protection, the computer must have network connectivity.
Use Application Protocol Transport Port Number Protocol Destination Direction Reputation Service Feedback SSL TCP 443 gtifeedback.trustedsource.or g Outbound Quarantine Manager HTTP TCP 80 Bi-directional 443 Your Security Management Server/Security Management Server Virtual URL Reputation Database Update HTTP TCP 80 list.smartfilter.com Outbound URL Reputation Lookup SSL TCP 443 tunnel.web.trustedsource.
• SED Management is not supported with Server Encryption. SED Client Prerequisites • The Endpoint Security Suite Pro master installer installs the following prerequisites if not already installed on the computer.
Language Support • JA - Japanese • RU - Russian SED Client Operating Systems • The following table details the supported operating systems. Windows Operating Systems (32- and 64-bit) • Windows 7 SP0-SP1: Enterprise, Professional (supported with Legacy Boot mode but not UEFI) NOTE: Legacy Boot mode is supported on Windows 7. UEFI is not supported on Windows 7. NVMe self-encrypting drives are not supported with Windows 7. • • • Windows 8: Enterprise, Pro, Windows 8.
Smart Cards • • Common Access Cards (CACs) Class B/SIPR Net Cards Advanced Authentication Client Operating Systems Windows Operating Systems • The following table details supported operating systems. Windows Operating Systems (32- and 64-bit) • • • • Windows 7 SP0-SP1: Enterprise, Professional, Ultimate Windows 8: Enterprise, Pro Windows 8.
Windows Operating Systems • • Windows Server 2012 R2: Standard Edition, Enterprise Edition (64-bit) Windows Server 2016 Dell Data Security Endpoint Security Suite Pro Requirements 15
3 Install Using the Master Installer • Command line switches and parameters are case-sensitive. • To install using non-default ports, use the child installers instead of the master installer. • Endpoint Security Suite Pro master installer log files are located at C:\ProgramData\Dell\Dell Data Protection\Installer. • Instruct users to see the following document and help files for application assistance: • See the Dell Encrypt Help to learn how to use the feature of the Encryption client.
6 Click Next to install the product in the default location of C:\Program Files\Dell\Dell Data Protection\. Dell recommends installing in the default location only, as problems may arise when installing in other locations. 7 Select the components to be installed. Security Framework installs the underlying security framework and Advanced Authentication, the advanced authentication client that manages multiple authentication methods, including PBA and credentials such as fingerprints and passwords.
8 Click Install to begin the installation. Installation will take several minutes. 9 Select Yes, I want to restart my computer now and click Finish.
Installation is complete. Install by Command Line Using the Master Installer • The switches must be specified first in a command line installation. Other parameters go inside an argument that is passed to the /v switch. Switches • The following table describes the switches that can be used with the Endpoint Security Suite Pro master installer.
Parameter Description SUPPRESSREBOOT Suppresses the automatic reboot after the installation completes. Can be used in SILENT mode. SERVER Specifies the URL of the Security Management Server/Security Management Server Virtual. InstallPath Specifies the path for the installation. Can be used in SILENT mode. FEATURES Specifies the components that can be installed in SILENT mode.
4 Uninstall Using the Endpoint Security Suite Pro Master Installer • Each component must be uninstalled separately, followed by uninstallation of the Endpoint Security Suite Pro master installer. The clients must be uninstalled in a specific order to prevent uninstallation failures. • Follow the instructions in Extract the Child Installers from the Master Installer to obtain child installers.
5 Uninstall Using the Child Installers • To uninstall each client individually, the child executable files must first be extracted from the Endpoint Security Suite Pro master installer, as shown in Extract the Child Installers from the Master Installer Alternatively, run an administrative installation to extract the .msi. • Ensure that the same versions of client are used for uninstallation as installation. • Command line switches and parameters are case-sensitive.
Option Meaning /qb!- Progress dialog without Cancel button, restarts itself after process completion /qn No user interface Uninstall Threat Protection Clients Command Line Uninstallation • Once extracted from the Endpoint Security Suite Pro master installer, the Threat Protection client installer can be located at C: \extracted\Threat Protection\ThreatProtection\WinXXR\DellThreatProtection.msi. • Go to Add/Remove Programs in the Control Panel and uninstall the following components in this order.
Command Line Uninstallation • Once extracted from the Endpoint Security Suite Pro master installer, the Encryption client installer can be located at C:\extracted \Encryption\DDPE_XXbit_setup.exe. • The following table details the parameters available for the uninstallation.
DDPE_XXbit_setup.exe /s /x /v"CMG_DECRYPT=1 CMGSILENTMODE=1 DA_SERVER=server.organization.com DA_PORT=8050 SVCPN=administrator@organization.com DA_RUNAS=domain\username DA_RUNASPWD=password /qn" MSI Command: msiexec.exe /s /x "Dell Data Protection Encryption.msi" /qn REBOOT="ReallySuppress" CMG_DECRYPT="1" CMGSILENTMODE="1" DA_SERVER="server.organization.com" DA_PORT="8050" SVCPN="administrator@domain.com" DA_RUNAS="domain\username" DA_RUNASPWD="password" /qn Reboot the computer when finished.
5 If you know the Hostname of the computer, enter it in the Hostname field (wildcards are supported). You may leave the field blank to display all computers. Click Search. If you do not know the Hostname, scroll through the list to locate the computer. A computer or list of computers displays based on your search filter. 6 Select the Details icon of the desired computer. 7 Click Security Policies on the top menu. 8 Select Self-Encrypting Drives.from the Policy Category drop-down menu.
6 Extract the Child Installers from the Endpoint Security Suite Pro Master Installer • The master installer is not a master uninstaller. Each client must be uninstalled individually, followed by uninstallation of the master installer. Use this process to extract the clients from the master installer so that they can be used for uninstallation. 1 From the Dell installation media, copy the DDSSuite.exe file to the local computer. 2 Open a command prompt in the same location as the DDSSuite.
7 Configure Key Server for Uninstallation of Encryption Client Activated Against Security Management Server • This section explains how to configure components for use with Kerberos Authentication/Authorization when using an Security Management Server. The Security Management Server Virtual does not use the Key Server. • If Kerberos Authentication/Authorization is to be used, then the server that contains the Key Server component will need to be part of the affected domain.
4 Restart the Key Server Service (leave the Services panel open for further operation). 5 Navigate to log.txt to verify that the Service started properly. Key Server Config File - Add User for Security Management Server Communication 1 Navigate to . 2 Open Credant.KeyServer.exe.config with a text editor.
Remote Management Console - Add Forensic Administrator 1 If needed, log on to the Remote Management Console. 2 Click Populations > Domains. 3 Select the appropriate Domain. 4 Click the Key Server tab. 5 In the Account field, add the user that will be performing the administrator activities. The format is DOMAIN\UserName. Click Add Account. 6 Click Users in the left menu. In the search box, search for the username added in Step 5. Click Search.
8 Use the Administrative Download Utility (CMGAd) • This utility allows the download of a key material bundle for use on a computer that is not connected to an Security Management Server/Security Management Server Virtual. • This utility uses one of the following methods to download a key bundle, depending on the command line parameter passed to the application: • Forensic Mode - Used if -f is passed on the command line or if no command line parameter is used.
3 In the Passphrase: field, type a passphrase to protect the download file. The passphrase must be at least eight characters long, and contain at least one alphabetic and one numeric character. Confirm the passphrase. Either accept the default name and location of where the file will be saved to or click ... to select a different location. Click Next. A message displays, indicating that the key material was successfully unlocked. Files are now accessible. 4 32 Click Finish when complete.
Use the Administrative Download Utility in Admin Mode The Security Management Server Virtual does not use the Key Server, so Admin mode cannot be used to obtain a key bundle from a Security Management Server Virtual. Use Forensic mode to obtain the key bundle if the client is activated against a Security Management Server Virtual. 1 Open a command prompt where CMGAd is located and type cmgad.exe -a. 2 Enter the following information (some fields may be pre-populated).
Click Next. A message displays, indicating that the key material was successfully unlocked. Files are now accessible. 4 34 Click Finish when complete.
9 Troubleshooting All Clients - Troubleshooting • Endpoint Security Suite Pro master installer log files are located at C:\ProgramData\Dell\Dell Data Protection\Installer. • Windows creates unique child installer installation log files for the logged in user at %temp%, located at C:\Users\ \AppData\Local\Temp. • Windows creates log files for client prerequisites, such as Visual C++, for the logged in user at %temp%, located at C:\Users \\AppData\Local\Temp. For example, C:\Users\
The Encryption External Media Access to unShielded Media policy interacts with Port Control System - Storage Class: External Drive Control policy. If you intend to set the Encryption External Media Access to unShielded Media policy to Full Access, ensure that the Storage Class: External Drive Control policy is also set to Full Access to ensure that the media is not set to read-only and the port is not blocked. To Encrypt Data Written to CD/DVD • Set Windows Media Encryption = On.
OR 1 Click Advanced to toggle the view to Simple to scan a particular folder. 2 Go to Scan Settings and enter the folder path in the Search Path field. If this field is used, the selection in the drop-down box is ignored. 3 If you do not want to write WSScan output to a file, clear the Output to File check box. 4 Change the default path and filename in Path, if desired. 5 Select Add to Existing File if you do not want to overwrite any existing WSScan output files.
WSScan Output WSScan information about encrypted files contains the following information. Example Output: [2015-07-28 07:52:33] SysData.7vdlxrsb._SDENCR_: "c:\temp\Dell - test.log" is still AES256 encrypted Output Meaning Date/time stamp The date and time the file was scanned. Encryption type The type of encryption used to encrypt the file. SysData: SDE Encryption Key.
Output Meaning User: User Encryption Key. Common: Common Encryption Key. WSScan does not report files encrypted using Encrypt for Sharing. KCID The Key Computer ID. As shown in the example above, "7vdlxrsb" If you are scanning a mapped network drive, the scanning report does not return a KCID. UCID The User ID. As shown in the example above, "_SDENCR_" The UCID is shared by all the users of that computer. File The path of the encrypted file. As shown in the example above, "c:\temp\Dell - test.
• • An error occurred during the decryption sweep. • In all cases, a log file is created (if logging is configured) when LogVerbosity=2 (or higher) is set. To troubleshoot, set the log verbosity to 2 and restart the Encryption Removal Agent Service to force another decryption sweep. Complete - The decryption sweep is complete. The Service, the executable, the driver, and the driver executable are all scheduled for deletion on the next restart.
2 Select your computer model.
3 42 Select Drivers & Downloads.
4 Select the Operating System of the target computer. 5 Expand the Security category.
6 Download and save the Dell ControlVault Drivers. 7 Download and save the Dell ControlVault Firmware.
8 Copy the drivers and firmware to the target computers, if needed. Install Dell ControlVault Driver 1 Navigate to the folder which you downloaded the driver installation file. 2 Double-click the Dell ControlVault driver to launch the self-extracting executable file. TIP: Be sure to install the driver first. The filename of the driver at the time of this document creation is ControlVault_Setup_2MYJC_A37_ZPE.exe. 3 Click Continue to begin.
4 Click Ok to unzip the driver files in the default location of C:\Dell\Drivers\. 5 Click Yes to allow the creation of a new folder. 6 Click Ok when the successfully unzipped message displays. 7 The folder which contains the files should display after extraction. If not, navigate to the folder to which you extracted the files. In this case, the folder is JW22F.
8 Double-click CVHCI64.MSI to launch the driver installer. [this example is CVHCI64.MSI in this example (CVHCI for a 32-bit computer)]. 9 Click Next at the Welcome screen. 10 Click Next to install the drivers in the default location of C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\.
11 Select the Complete option and click Next. 12 Click Install to begin the installation of the drivers.
13 Optionally check the box to display the installer log file. Click Finish to exit the wizard. Verify Driver Installation • The Device Manager will have a Dell ControlVault device (and other devices) depending on the operating system and hardware configuration.
1 Navigate to the folder which you downloaded the firmware installation file. 2 Double-click the Dell ControlVault firmware to launch the self-extracting executable file. 3 Click Continue to begin. 4 Click Ok to unzip the driver files in the default location of C:\Dell\Drivers\. 5 Click Yes to allow the creation of a new folder.
6 Click Ok when the successfully unzipped message displays. 7 The folder which contains the files should display after extraction. If not, navigate to the folder to which you extracted the files. Select the firmware folder. 8 Double-click ushupgrade.exe to launch the firmware installer. 9 Click Start to begin the firmware upgrade.
IMPORTANT: You may be asked to enter the admin password if upgrading from an older version of firmware. Enter Broadcom as the password and click Enter if presented with this dialog. Several status messages display.
Dell Data Security Endpoint Security Suite Pro Troubleshooting 53
10 Click Restart to complete the firmware upgrade. The update of the Dell ControlVault drivers and firmware is complete.
10 Glossary Advanced Authentication - The Advanced Authentication product supports login with self-encrypting drives, SSO, and manages user credentials and passwords. In addition, Advanced Authentication can be used to access not only PCs, but any website, SaaS, or application. Once users enroll their credentials, Advanced Authentication allows use of those credentials to logon to the device and perform password replacement.
Protection - Blocks unsafe websites and downloads from those websites during online browsing and searching, based on safety ratings and reports for websites.
